Tcpdump before iptables?

[Darrell Dieringer]

I suppose what a person sees depends on what interface tcpdump is presently
watching, and whether those packtes have been / will be forwarded /
masqueraded.

It looks to me (and many others) that tcpdump watches what's on the wire.
This will either be "before" netfilter or "after" netfilter, depending on
(1) which interface you're watching (internal vs. external) and (2) whether
the packet was SNAT'ed / unSNAT'ed and forwarded by netfilter from one
interface to the other.  What's "before" netfilter on one interface may be
forwarded and look like "after" netfilter on the other.

If you're watching the external interface, you will see packets on the wire
that have the address masqueraded by netfilter (ie. what's on the wire
"after" netfilter has done its magic).  That's what you want.  If you're
watching the internal interface, those packets won't be masqueraded yet.


 |Internet|                           |MASQed Network|
     |(a)-------------|Netfilter|------------(b)|

interfaces (a) (b)

tcpdump watching (a) will see packets that _will_ travel (a)->(b) "before"
netfilter, but will see packets that _have_ traveled (b)->(a) "after"
netfilter.

The opposite is true for tcpdump watching interface (b).

That's the best sense I can make of it.  If I'm wrong, feel free to
constructively correct my mis-steps.

Darrell


-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org]On Behalf Of Florin Andrei
Sent: Thursday, July 26, 2001 1:27 PM
To: 'NetFilter List'
Subject: Re: Tcpdump before iptables?


On 26 Jul 2001 09:22:35 +0200, Denis Ducamp wrote:
>
> Nope, tcpdump receaves packets _after_ prerouting, so when you listen on
the
> Internet interface of a masquerading gateway, you see packets with their
> internal adress :

What? Even if you run tcpdump in promiscuous mode? (tcpdump -p)

--
Florin Andrei